Install an F18 VM with UEFI

First we need to install a guest using UEFI instead of traditional bios.
Anaconda will put all the right bits in place for us. You can probably
convert an existing bios guest to use UEFI but I haven't found steps to do
so.

I recommend using a DVD, network installs seem to be sloooow using OVMF:

Follow the install to completion, log in and do firstboot, then move along.
Secure boot isn't set up yet.

Grab LockDown_ms.efi

Since OVMF doesn't ship with any SecureBoot keys installed, we need to
install some to mimic what an MS certified UEFI machine will ship with.
But here's a crappy thing about OVMF and KVM: right now there's no way to
persist UEFI config across VM start/stop. So if we want to test SecureBoot,
we need to install the MS keys and enable secureboot on every VM restart.

Luckily there's a tool that does all this for us, called LockDown_ms.efi.
This is derived from code in efitools.git.

Misc bits

EDK2 Licensing Issues

EDK2 contains a FAT filesystem driver that is licensed under terms that
make it not acceptable for packaging in Fedora. Particularly that there's
a usage restricition only allowing the code to be used in a UEFI
implementation. More details here at Edk2-fat-driver

The driver is critical functionality so removing it is not an option.

Running EDK2 nightly builds

Gerd Hoffman, Red Hatter and QEMU developer, has a yum repo on his personal
site that provides nightly builds of a whole bunch of QEMU/KVM firmware,
including EDK2/OVMF.

Currently though, latest OVMF broke F18 SecureBoot: running the above steps
will give the following error when trying to boot shim.efi:

Error reported: Security Violation

There's a fix in upstream pesign, but as of this writing, shim
in F18 hasn't been regenerated to pick up the fix.